F2F Quota
Use these commands to show details of an F2F (Forward to Firewall) DDoS flood attack, and how the protection works to mitigate it:
asg f2fqfwaccel f2fg statsfwaccel6 f2fg stats
F2F detects traffic floods and intelligently prevents performance degradation on the 61000/41000 Security System. It assigns a high priority to known, important packets from Performance Pack and drops those suspected of being part of a DDoS attack.
Two examples of known F2F flood attacks are UDP floods and fragmentation attacks. These attacks cause too much resource allocation when they try to put the packet fragments together.
Use fwaccel for IPv4 information and fwaccel6 for IPv6 information.
Syntax
> fwaccel f2fq stats [–v]
> fwaccel f2fq -c <file>
> fwaccel f2fq -a
> fwaccel6 f2fq stats [–v]
> fwaccel6 f2fq -c <file>
> fwaccel6 f2fq -a
> asg f2fq [-b <sgm_ids> ] [-6 | -4]
Parameter
|
Description
|
-v
|
Shows detailed (verbose) statistics.
|
-b <sgm_ids>
|
Works with SGMs and/or Chassis as specified by <sgm_ids>.
<sgm_ids> can be:
- No <sgm_ids> specified or
all shows all SGMs and Chassis - One SGM
- A comma-separated list of SGMs (
1_1,1_4) - A range of SGMs (
1_1-1_4) - One Chassis (
Chassis1 or Chassis2) - The active Chassis (
chassis_active)
|
-6
|
Shows the IPv6 status only
|
-4
|
Shows the IPv4 status only
|
-c <file>
|
Uses the parameters in <file>
|
-a
|
Uses the parameters in $FWDIR/conf/f2fq.conf
|
Example
This example shows details of IPv4 activity for all Firewall instances.
> fwaccel f2fq stats -v
+---------------------------------------------------------------------------+
| DDOS Mitigation |
+---------------------------------------------------------------------------+
| Mode: Enforcing |
| Status Normal |
| Last 10 seconds drops 13146 |
+---------------------------------------------------------------------------+
| Instance | Reason | Drops / Hits |
+---------------------------------------------------------------------------+
| FW 0 | CONN_MISS_TCP_SYN | 103365 / 104629 |
+---------------------------------------------------------------------------+
| FW 1 | FRAG | 6232 / 13816 |
| | CONN_MISS_TCP_SYN | 101096 / 102203 |
| | CONN_MISS_TCP_OTHER | 13146 / 14359 |
+---------------------------------------------------------------------------+
| FW 2 | FRAG | 1339 / 1339 |
| | CONN_MISS_TCP_SYN | 101087 / 102143 |
+---------------------------------------------------------------------------+
| All | FRAG | 7571 / 15155 |
| | CONN_MISS_TCP_SYN | 305548 / 308975 |
| | CONN_MISS_TCP_OTHER | 13146 / 14359 |
+---------------------------------------------------------------------------+
The output shows this information:
Item
|
Description
|
|
|
The number of dropped packets during the last 10 seconds.
|
|
|
The verbose output shows a historical aggregate of the results, for each Firewall instance.
|
|
|
The number of dropped packets out of the total number of packets, grouped by the attack type.
|
Example - asg f2fg
This output shows how the protection mitigates the DDoS attack, for each SGM.
> asg f2fq
+-------------------------------------------------------------------------+
| DDOS Mitigation |
+-------------------------------------------------------------------------+
| Blade | Protocol | Config | Status | Last 10 sec drops |
+-------------------------------------------------------------------------+
| 1_01 (!) | IPv4 | Enforcing | Under Attack | 151130 |
| 1_01 | IPv6 | Enforcing | Normal | 0 |
| 1_02 | IPv4 | Enforcing | Normal | 0 |
| 1_02 | IPv6 | Enforcing | Normal | 0 |
| 1_03 | IPv4 | Enforcing | Normal | 0 |
| 1_03 | IPv6 | Enforcing | Normal | 0 |
| 1_04 | IPv4 | Enforcing | Normal | 0 |
| 1_04 | IPv6 | Enforcing | Normal | 0 |
+-------------------------------------------------------------------------+
|
